Hacking 6.2.0 Key Generation could (POSSIBLY) be UNCRACKABLE.

Status
Not open for further replies.
P

palantine

Well-Known Member
Member
Level 5
Joined
Oct 5, 2014
Messages
174
Trophies
0
Age
38
XP
593
Country
Italy
I wrote a short explanation in another thread so I'll repost it here:

The new key generation explained:

The switch has an Nvidia coprocessor ( a second processor) inside of it called the TSEC or Falcon that handles cryptographic operations like AES and verifying signatures. This processor is ordinarily supplied a firmware when the switch boots and then hands over the TSEC key to the boot loader so it can decrypt and load the rest of the firmware.

What was changed in 6.2 is that the TSEC firmware now derives one of the decryption keys internally rather than letting the boot loader do it. This means that despite having full control over the boot process, the derivation of this key now happens secretly where we cannot see it.

I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info. Here is a screenshot I took of reverse engineering the 6.2 TSEC firmware.

View attachment 149848
 
  • Like
Reactions: mesakagi, iriez, AlexMCS and 18 others
Essasetic

Essasetic

General Spectator
OP
Member
Level 12
Joined
Jun 16, 2018
Messages
1,573
Trophies
1
XP
3,304
Country
United Kingdom
palantine said:
I wrote a short explanation in another thread so I'll repost it here:

The new key generation explained:

The switch has an Nvidia coprocessor ( a second processor) inside of it called the TSEC or Falcon that handles cryptographic operations like AES and verifying signatures. This processor is ordinarily supplied a firmware when the switch boots and then hands over the TSEC key to the boot loader so it can decrypt and load the rest of the firmware.

What was changed in 6.2 is that the TSEC firmware now derives one of the decryption keys internally rather than letting the boot loader do it. This means that despite having full control over the boot process, the derivation of this key now happens secretly where we cannot see it.

I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info. Here is a screenshot I took of reverse engineering the 6.2 TSEC firmware.

View attachment 149848
Click to expand...
Well it's some form of progress :)
 
Zumoly

Zumoly

GBATemp Analyst
Member
Level 12
Joined
Apr 27, 2018
Messages
1,817
Trophies
0
Location
Yorosso
XP
3,098
Country
Mali
palantine said:
I wrote a short explanation in another thread so I'll repost it here:

The new key generation explained:

The switch has an Nvidia coprocessor ( a second processor) inside of it called the TSEC or Falcon that handles cryptographic operations like AES and verifying signatures. This processor is ordinarily supplied a firmware when the switch boots and then hands over the TSEC key to the boot loader so it can decrypt and load the rest of the firmware.

What was changed in 6.2 is that the TSEC firmware now derives one of the decryption keys internally rather than letting the boot loader do it. This means that despite having full control over the boot process, the derivation of this key now happens secretly where we cannot see it.

I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info. Here is a screenshot I took of reverse engineering the 6.2 TSEC firmware.

View attachment 149848
Click to expand...


Oh! Looks like they finally convinced Nvidia to lend a hand.
I believe cracking 6.2 will bring true CFW.
 
T

tom95

Member
Newcomer
Level 1
Joined
Nov 4, 2018
Messages
9
Trophies
0
Age
28
XP
80
Country
Italy
palantine said:
I wrote a short explanation in another thread so I'll repost it here:

The new key generation explained:

The switch has an Nvidia coprocessor ( a second processor) inside of it called the TSEC or Falcon that handles cryptographic operations like AES and verifying signatures. This processor is ordinarily supplied a firmware when the switch boots and then hands over the TSEC key to the boot loader so it can decrypt and load the rest of the firmware.

What was changed in 6.2 is that the TSEC firmware now derives one of the decryption keys internally rather than letting the boot loader do it. This means that despite having full control over the boot process, the derivation of this key now happens secretly where we cannot see it.

I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info. Here is a screenshot I took of reverse engineering the 6.2 TSEC firmware.

View attachment 149848
Click to expand...

do the TSEC firmware have to been signed or you can run your own?
 
m4xw

m4xw

Ancient Deity
Developer
Level 17
Joined
May 25, 2018
Messages
2,442
Trophies
1
Age
119
XP
6,958
Country
Germany
tom95 said:
do the TSEC firmware have to been signed or you can run your own?
Click to expand...
You can run your own but you are limited without entering authenticated mode, which needs "unknown secrets" simply said.

palantine said:
I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info
Click to expand...
Could maybe do a side channel attack, else... pretty much. Break cauth
 
  • Like
Reactions: iriez and tom95
Giga_Gaia

Giga_Gaia

Well-Known Member
Member
Level 7
Joined
Sep 12, 2006
Messages
1,429
Trophies
1
Age
38
XP
1,222
Country
Canada
Smash won't include 6.2.0. The game has gone gold a while ago, which means production has been well underway before 6.2.0 released, so it's impossible for it to come with it or require it. Hell, even Pokemon doesn't require 6.0.0 or 6.1.0, it requires 5.1.0.

As for 2019 games, I am 100% certain 6.2.0 will be cracked long before the first game releases. Unfortunately for Nintendo, pirates having hardware access means there is nothing long term they can do.
 
  • Like
Reactions: matias3ds
T

tom95

Member
Newcomer
Level 1
Joined
Nov 4, 2018
Messages
9
Trophies
0
Age
28
XP
80
Country
Italy
palantine said:
I wrote a short explanation in another thread so I'll repost it here:

The new key generation explained:

The switch has an Nvidia coprocessor ( a second processor) inside of it called the TSEC or Falcon that handles cryptographic operations like AES and verifying signatures. This processor is ordinarily supplied a firmware when the switch boots and then hands over the TSEC key to the boot loader so it can decrypt and load the rest of the firmware.

What was changed in 6.2 is that the TSEC firmware now derives one of the decryption keys internally rather than letting the boot loader do it. This means that despite having full control over the boot process, the derivation of this key now happens secretly where we cannot see it.

I'm looking at the TSEC firmware now to research this process but it may be simply out of our reach unless we can exploit or trick the TSEC into doing what we want or leaking the info. Here is a screenshot I took of reverse engineering the 6.2 TSEC firmware.

View attachment 149848
Click to expand...

m4xw said:
You can run your own but you are limited without entering authenticated mode, which needs "unknown secrets" simply said.


Could maybe do a side channel attack, else... pretty much. Break cauth
Click to expand...

also very dumb question, if we have full boot access and the instruction set of tegra is well understood, can this problem be solved by loading a sw layer between cpu and software that intercept all system calls and alterate some to load CFW component?
that would make having the key unnecessary?
 
Last edited by tom95,
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Emulation Homebrew Tutorial  Building SM64 for Nintendo Switch from sm64ex-alo Repository

General chit-chat
Help Users
  • No one is chatting at the moment.
    NinStar @ NinStar: It will actually make it worse